2

我正在尝试在我的 Web 应用程序中实现 Spring Security。问题是我的网络可以在两种环境下工作,b2b 和 b2c。

b2b环境需要通过用户名和密码进行spring安全控制,b2c只需要几页。

例如:

  www.myb2b.com/home  -> login required
  www.myb2c.com/home  -> no login required
  www.myb2c.com/private/admin  -> login required

最重要的过滤器是第一个和第二个,第三个过滤器可以通过其他系统实现。

我怎样才能做到这一点?

我正在尝试配置自定义 FilterSecurityInterceptor 来覆盖 doFilter 功能。但我有冲突的错误。

我的 appContext-web-security.xml (不完全是因为仍在开发中):

<beans:beans
xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
                    http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
                    http://www.springframework.org/schema/security
                    http://www.springframework.org/schema/security/spring-security-3.1.xsd">
    <http auto-config="false" use-expressions="true" entry-point-ref="loginUrlAuthenticationEntryPoint">
        <custom-filter position="FILTER_SECURITY_INTERCEPTOR" ref="filterSecurityInterceptor" />

        <intercept-url pattern="/**" access="ROLE_USER" />
    </http>

    <beans:bean id="loginUrlAuthenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
        <beans:property name="loginFormUrl" value="/login"/>
    </beans:bean>

    <beans:bean id="filterSecurityInterceptor" class="com.hotelbeds.tuiuk.web.spring.CustomSecurityInterceptor">
        <beans:property name="observeOncePerRequest" value="true"/>
        <beans:property name="authenticationManager" ref="authenticationManager" />
        <beans:property name="accessDecisionManager" ref="accessDecisionManager" />
    </beans:bean>

    <beans:bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
        <beans:property name="decisionVoters">
            <beans:list>
                <beans:bean class="org.springframework.security.access.vote.RoleVoter" />
            </beans:list>
        </beans:property>
    </beans:bean>


    <authentication-manager alias="authenticationManager">
        <authentication-provider>
            <password-encoder hash="sha-256" />
            <user-service>
                <user name="admin"
                    password="8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918"
                    authorities="ROLE_ADMIN" />
                <user name="user"
                    password="04f8996da763b7a969b1028ee3007569eaf3a635486ddab211d512c85b9df8fb"
                    authorities="ROLE_USER" />
            </user-service>
        </authentication-provider>
    </authentication-manager>
</beans:beans>
4

1 回答 1

0

如果我清楚您的要求,则无需任何代码级自定义即可轻松实现:

<bean id="b2bHostMatcher" class="org.springframework.security.web.util.ELRequestMatcher">
    <constructor-arg value="hasHeader('host','myb2b.com')"/>
</bean>

<bean id="b2cHostMatcher" class="org.springframework.security.web.util.ELRequestMatcher">
    <constructor-arg value="hasHeader('host','myb2c.com')"/>
</bean>

<security:http request-matcher-ref="b2bHostMatcher" ...>
    <!-- config for b2b requests -->
</security:http>


<security:http request-matcher-ref="b2cHostMatcher" ...>
    <!-- config for b2c requests -->
</security:http>

请注意,您的 IDE 可能会抱怨这两个<http>元素都没有pattern属性,但您可以放心地忽略它,因为只有当它们都使用 default 时才会出现问题AntPathRequestMatcher

于 2013-02-19T17:41:59.580 回答